CVE-2026-3585
Path Traversal in The Events Calendar Plugin Allows File Disclosure
Publication date: 2026-03-10
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moderntribe | the_events_calendar | to 6.15.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server.
Since attackers with Author-level access can exploit this flaw, they can read arbitrary files, potentially exposing credentials, configuration files, or other confidential data.
Such information leakage can compromise the security of the website and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
The Events Calendar plugin for WordPress, up to and including version 6.15.17, contains a Path Traversal vulnerability in the 'ajax_create_import' function.
This vulnerability allows authenticated attackers with Author-level access or higher to read arbitrary files on the server by exploiting the path traversal flaw.
As a result, attackers can access sensitive information stored in files on the server that they should not normally be able to read.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of The Events Calendar plugin up to and including 6.15.17. Immediate mitigation involves updating the plugin to a version later than 6.15.17 where the path traversal issue in the 'ajax_create_import' function is fixed.
Additionally, restricting Author-level access and above to trusted users can reduce the risk, since the vulnerability requires authenticated users with at least Author privileges.